samba - May 2011 - samba 3.2.5 + ACLs - read/write permission become read only

IN SHORT:
- READ+WRITE becomes READ ONLY
- OWNER ACL Permissions for "another User" affects Group ACL
Permissions


Hi Experts,

we recently figured some strange behaviour on our Debian 5 (Lenny, uname 
2.6.26-2-686) + Samba 2:3.2.5-4lenny14 server that i would like to 
discuss here. I cannot tell apart if its a bug or just lack of 
understanding. Here is the Scenario:

I got a samba shared Directory like this:

host:/someparentdirs/_AW_TEST# ls -lad .
d---rws---+ 3 root root 4096 2011-05-23 10:33 .
host:/someparentdirs/_AW_TEST#


host:/someparentdirs/_AW_TEST# getfacl .
# file: .
# owner: root
# group: root
user::---
group::---
group:ALL:rwx
group:CCIGUESTS:rwx
mask::rwx
other::---
default:user::---
default:group::---
default:group:ALL:rwx
default:mask::rwx
default:other::---


As u can see the Groups ALL are granted RWX. ANYTHING ELSE is been set 
to owner root.root with 000 Permissions.

This Directory contains several Files. a .txt a .doc and a .xls as u can 
see here:

host:/someparentdirs/_AW_TEST# ls -la
total 56
d---rws---+  3 root root  4096 2011-05-23 10:33 .
drwxrws---+ 32 root root  4096 2011-05-20 12:40 ..
----rwx---+  1 root root 13824 2011-05-20 16:15 excel1.xls
----rwx---+  1 root root    24 2011-05-20 16:15 file1.txt
----rwx---+  1 root root 24064 2011-05-20 16:15 word1.doc
host:/someparentdirs/_AW_TEST#


ACLs on those Files are set similar:

host:/someparentdirs/_AW_TEST# getfacl file1.txt
# file: file1.txt
# owner: root
# group: root
user::---
group::---
group:ALL:rwx
mask::rwx
other::---
host:/someparentdirs/_AW_TEST#



NOW a given Regular Windows-User "wernera" which is MEMBER OF
"ALL" is
supposed to have READ-/WRITE PERSMISSIONS on those Files, right?? At 
least i would expect that.

But Fact is, that in this configuration my user "wernera" can only 
access these Files "READ ONLY", independent of what Windows
Application
used. He will be able to creat new files and all. But those existing 
Files became READONLY for some reason.


IF i now change that ACLs to something like this (only the OWNERS Part 
changed) ...

host:/someparentdirs/_AW_TEST# getfacl file1.txt
# file: file1.txt
# owner: root
# group: root
user::rwx
group::---
group:ALL:rwx
mask::rwx
other::---
host:/someparentdirs/_AW_TEST#

... the hole Thing starts to work just as expected. Even though the 
"root" User should not matter here.


BTW: The User "wernera" as a regular User CAN write to those Files
from
the Linux Console (via ssh using vim or such for example). So it "looks 
like" Samba is handling this strangly different.



Any Ideas wtf is going on here ?????



Here are my Configs:


Kernel:

uname -r : 2.6.26-2-686
-------------------------

Samba:

dpkg -l |grep -i samba
samba                             2:3.2.5-4lenny14 
samba-common                      2:3.2.5-4lenny14
samba-doc                         2:3.2.5-4lenny14 
samba-doc-pdf                     2:3.2.5-4lenny14 
smbldap-tools                     0.9.4-1 
-------------------------


ACL Tools:

dpkg -l | grep -i acl
ii  acl                               2.2.47-2
ii  libacl1                           2.2.47-2

-------------------------
Samba Config:

grep -v -e '^[[:space:]]*#' -e '^$' /etc/samba/smb.conf

[global]
         domain logons = Yes
         domain master = auto
         workgroup = xxx
         server string          os level = 66
         dns proxy = No
         wins support = Yes
         panic action = /usr/share/samba/panic-action %d
         guest account = nobody
         socket options = TCP_NODELAY SO_RCVBUF=8192
SO_SNDBUF=8192
         passdb backend ldapsam:"ldap://localhost.domain.de"
         encrypt passwords = true
         obey pam restrictions = yes
         unix password sync = no
         check password script = /sbin/crackcheck -c -d
/var/cache/cracklib/cracklib_dict
         ldap suffix = dc=someou,dc=someou,dc=de
         ldap admin dn cn=admin,dc=someou,dc=someou,dc=de
         ldap group suffix = ou=groups
         ldap user suffix = ou=people
         ldap machine suffix = ou=people
         ldap idmap suffix = ou=idmap
         ldap passwd sync = no
         ldap ssl = start tls
         ldap delete dn = no
         add machine script = /usr/sbin/smbldap-useradd -t 0
-w "%u"
         debug pid = yes
         log level = 0 auth:3
         log file = /var/log/samba/samba.log
         max log size = 10000
         syslog only = yes
         syslog = 1000
         logon drive = h:
         logon home=\\host\%U
         logon script = scripts\logon.cmd
         logon path          show add printer wizard = no
         inherit acls = yes
         inherit owner = no
[homes]
    comment = Home Directories
    browseable = no
    writable = yes
    valid users = %S
    create mask = 0600
    directory mask = 0700
[netlogon]
    comment = Network Logon Service
    path = /home/netlogon
    admin users = root
    guest ok = yes
    browsable = yes
    writable = no
    write list = @itadmin, root, Administrator
[I]
    comment = Drive I
    path = /data1/I/
    browseable = yes
    writable = yes
    create mask = 0660
    directory mask = 0770

-------------------------





THANKS FOR ANY HELP!

Best regards
Axel Werner

From: Axel Werner <mail at awerner.homeip.net>
Date: Mon, 23 May 2011 12:49:17 +0200

(snip)
> I got a samba shared Directory like this:
> 
> host:/someparentdirs/_AW_TEST# ls -lad .
> d---rws---+ 3 root root 4096 2011-05-23 10:33 .
> host:/someparentdirs/_AW_TEST#
> 
> host:/someparentdirs/_AW_TEST# getfacl .
> # file: .
> # owner: root
> # group: root
> user::---
> group::---
> group:ALL:rwx
> group:CCIGUESTS:rwx
> mask::rwx
> other::---
> default:user::---
> default:group::---
> default:group:ALL:rwx
> default:mask::rwx
> default:other::---
> 
> As u can see the Groups ALL are granted RWX. ANYTHING ELSE is been set 
> to owner root.root with 000 Permissions.
(snip)
> NOW a given Regular Windows-User "wernera" which is MEMBER OF
"ALL" is
> supposed to have READ-/WRITE PERSMISSIONS on those Files, right?? At 
> least i would expect that.
> 
> But Fact is, that in this configuration my user "wernera" can
only
> access these Files "READ ONLY", independent of what Windows
Application
> used. He will be able to creat new files and all. But those existing 
> Files became READONLY for some reason.
As far as I examined at Samba 3.5.6 self-compiled on Lenny and ACLs
were set:

# file: aclshare3/
# owner: root
# group: root
user::---
group::rwx <---- owner group permission
group:aclshare3rw:rwx
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:aclshare3rw:rwx
default:mask::rwx
default:other::---

[aclshare3]
  path = /some/where/aclshare3
  writeable = yes

  force group = root
  inherit permissions = yes
; inherit owner = yes

  store dos attributes = yes
  map archive = no
  map read only = no


Actually the owner group permission works as "mask" value. When I set:

# setfacl -m m:rwx,g::--- aclshare3/

then no user can access to aclshare3 directory and  when I set:

# setfacl -m m:rwx,g::r-x aclshare3/

then no user can write to aclshare3 directory.


Anyway, I recommend that root always have rwx on files when you use
POSIX ACL to control access like:

1) chown root; chgrp root
2) chmod g+rwx; setfacl -m g::rwx; setfacl -d -m g::rwx
3) set "force group = root"

---
TAKAHASHI Motonobu <monyo at samba.gr.jp>

Hi TAKAHASHI  and thanks for your reply.

well, what do u think? Is that a "feature" or a bug?
and where to file/report this "problem" to?
Should i report that thing to the samba bug tracker for more investigation?

greetings
Axel



Am 23.05.2011 18:03, TAKAHASHI Motonobu schrieb:
> 
> As far as I examined at Samba 3.5.6 self-compiled on Lenny and ACLs
> were set:
> 
> # file: aclshare3/
> # owner: root
> # group: root
> user::---
> group::rwx <---- owner group permission
> group:aclshare3rw:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:group::rwx
> default:group:aclshare3rw:rwx
> default:mask::rwx
> default:other::---
> 
> [aclshare3]
>   path = /some/where/aclshare3
>   writeable = yes
> 
>   force group = root
>   inherit permissions = yes
> ; inherit owner = yes
> 
>   store dos attributes = yes
>   map archive = no
>   map read only = no
> 
> 
> Actually the owner group permission works as "mask" value. When I
set:
> 
> # setfacl -m m:rwx,g::--- aclshare3/
> 
> then no user can access to aclshare3 directory and  when I set:
> 
> # setfacl -m m:rwx,g::r-x aclshare3/
> 
> then no user can write to aclshare3 directory.
> 
> 
> Anyway, I recommend that root always have rwx on files when you use
> POSIX ACL to control access like:
> 
> 1) chown root; chgrp root
> 2) chmod g+rwx; setfacl -m g::rwx; setfacl -d -m g::rwx
> 3) set "force group = root"
> 
> ---
> TAKAHASHI Motonobu <monyo at samba.gr.jp>

From: Axel Werner <mail at awerner.homeip.net>
Date: Tue, 24 May 2011 14:55:24 +0200
> Hi TAKAHASHI  and thanks for your reply.
> 
> well, what do u think? Is that a "feature" or a bug?
For me, it is acceptable for this behavior to be a "feature".
> and where to file/report this "problem" to?
> Should i report that thing to the samba bug tracker for more investigation?
If you feel this is a problem, I think you should post to
https://bugzilla.samba.org or discuss at samba-technical at samba.org .

---
TAKAHASHI Motonobu <monyo at samba.gr.jp>